Comcast is to switch off its Domain Helper service, which captures DNS error traffic and presents surfers with sponsored search results instead, as part of its DNSSEC implementation.

The ISP said yesterday that it has started to roll out the new security mechanism to its production DNS servers across the US and expects to have all customers using DNSSEC by the “early part of 2011”.

The deployment will come in two phases. The first phase, expected to last 60 days, sees DNSSEC turned on for subscribers who have previously opted out of the Domain Helper system.

After that, Comcast will continue the rollout to all of its customers, which will involve killing off the Domain Helper service for good.

# We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
# Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.
# The production network DNSSEC servers do not have Comcast Domain Helper’s DNS redirect functionality enabled.

When web users try to visit a non-existent domain, DNS normally supplies a “does-not-exist” reply. Over recent years it has become increasingly common for ISPs to intercept this response and show users a monetized search page instead.

But DNSSEC introduces new anti-spoofing features that require such responses to be cryptographically signed. This, it seems, means ISPs will no longer be able to intercept and monetize error traffic without interfering with the end-to-end functionality of DNSSEC.

Comcast, which has been trialing the technology with volunteers for most of the year, says that to do so “breaks the chain of trust critical to proper DNSSEC validation functionality”.

It looks like it’s the beginning of the end of the ISP error wildcard. That’s got to be a good thing, right?